A method for performing a lookup of a packet against an access control list. In one example, the method includes receiving an access control list, partioning said list into two or more complementary sets, and for each set, forming a tree having one or more end nodes including filtering rules, and internal nodes representing decision points, thereby forming at least two trees. In one example, when a packet arrives, the two or more trees are traversed using the packet header information, wherein the decision points in the internal nodes are used to guide the packet selection down the trees to an end node.